阻止用户甚至不了解AWS S3上的其他用户(文件夹) [英] Preventing a user from even knowing about other users (folders) on AWS S3

问题描述

我有一个关于在AWS S3上编写IAM策略的问题，在Jim Scharf的这篇不错的帖子中，部分得到了解答:

I have a question about writing IAM policies on AWS S3 that was partially answered here, in this nice post by Jim Scharf:

以Jim的帖子为起点，我要实现的目标是阻止用户甚至了解使用S3控制台时可以访问同一存储桶的其他用户. Jim的解决方案以及我发现的其他解决方案都限制了给定用户访问另一个用户文件夹中的内容.但是，没有一种解决方案可以阻止用户"u"执行我所说的部分列表"，即，甚至不显示其内容不允许为"u"的文件夹.

Taking Jim's post as a starting point, what I am trying to achieve is preventing a user from even knowing about the existence of other users that have access to the same bucket while using S3's console. Jim's solution, as well as others I've found, restrict a given user from accessing the contents inside another user's folder. But none of the solutions prevent a user "u" from doing what I call a "partial listing", ie., not even displaying folders whose contents are not allowed to "u".

以下帖子也与我的问题非常相似:

The following post is also very similar to my question:

如何为多个IAM用户设置S3策略，以使每个人只能访问其个人存储桶文件夹?

但与此类文章中的设置不同，我需要类似于一个文件系统结构，在存储桶名称和用户特定文件夹之间有一个中间"主文件夹(就像Jim的文章中一样):

But unlike the setting in such post, I need to resemble a file system structure that has an "intermediate" home folder between the bucket name and the user-specific folder (just like in Jim's post):

mybucket/home/user1

mybucket/home/user1

mybucket/home/user2

mybucket/home/user2

到目前为止，我所做的如下:

What I've done so far is as follows:

• 创建了一个存储桶以及其中的多个文件夹"
• 创建了一些我分组在一起的用户.每个用户在存储桶中都有一个具有相同名称的对应文件夹

• 设置我已附加到该组的IAM策略，如下所示:

• Created a single bucket as well as a number of "folders" inside it
• Created a number of users that I've grouped together in a group. Each user has a corresponding folder inside the bucket with the same name

• Setup an IAM policy that I have attached to the group as follows:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Sid": "AllowUsersToSeeBucketListInTheConsole",
        "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
        "Effect": "Allow",
        "Resource": ["arn:aws:s3:::*"]
    },
    {
        "Sid": "AllowRootAndHomeListingOfMyBucket",
        "Action": ["s3:ListBucket"],
        "Effect": "Allow",
        "Resource": ["arn:aws:s3:::mybucket"],
        "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
    },
    {
        "Sid": "AllowListingOfUserFolder",
        "Action": ["s3:ListBucket"],
        "Effect": "Allow",
        "Resource": ["arn:aws:s3:::mybucket"],
        "Condition":{"StringLike":{"s3:prefix":["home/${aws:username/*"]}}
    }
    ]
}

我了解到，当前缀为"home/"时，上述Sid"AllowRootAndHomeListingOfMyBucket"将授予"ListBucket"权限.实际上，这允许组中的任何用户"u"列出"home"文件夹中的整个文件夹"f"集，而不管"u"是否可以访问"f"的给定元素.我不知道是否有任何设计巧妙的拒绝"规则会限制甚至列出那些不允许显示内容"u"的文件夹.

I understand that the Sid "AllowRootAndHomeListingOfMyBucket" above grants permission to "ListBucket" when the prefix is "home/". Which in effect allows any user "u" in the group to list the entire set of folders "f" inside the "home" folder, regardless of whether "u" would have access to a given element of "f" or not. What I don't know is whether there is any cleverly designed "Deny" rule that would restrict even listing those folders whose contents "u" is not allowed to see.

根据鲍勃·金尼(Bob Kinney)的说法，这在2013年是不可能的:

According to Bob Kinney this was not possible back in 2013:

IAM政策为用户列出S3存储桶中的特定文件夹

但是，我不确定与此同时情况是否有所发展.任何建议都将不胜感激.

However I am not sure if things have evolved in the meantime. Any suggestion is greatly appreciated.

谢谢.

推荐答案

不，这是不可能的，因为该策略允许的不是您可以看到的，而是您可以看到的问看.并要求S3查看对象列表是通过前缀和分隔符完成的.

No, this isn't possible, because what the policy allows is not what you can see, but rather what you can ask to see. And asking S3 to see object lists is done with prefix and delimeter.

导航存储桶时，控制台会在幕后询问以下内容:

When navigating a bucket, behind the scenes, the console asks for these things:

• 单击存储桶:列出存储桶的根(带分隔符/的前缀空字符串)-返回所有常用前缀(文件夹" )以及根目录中的所有对象(最多1个/深度). (未显示，但是在使用控制台创建文件夹时，文件夹名称实际上以/结尾-这是控制台将它们显示为文件夹的唯一原因-隐藏在/后面的实际上是普通的空对象).

• Click on bucket: List the root of the bucket (prefix empty string with delimiter /) -- returns all common prefixes ("folders") and all objects in the root up to one / deep. (It isn't shown, but folder names actually end with / when you create folders using the console -- that's the sole reason the console shows them as folders -- the hidden / at the end of what is actually an ordinary empty object).

单击home:使用分隔符/列出所有位于前缀home/的对象-返回home/下的所有常见前缀和对象，最多返回一个/ -因此，它将返回home/david/，home/emily，home/genevieve/，home/james/等.

Click on home: List all at prefix home/ with delimiter / -- returns all common prefixes and objects under home/ up to one more / -- so, this returns home/david/, home/emily, home/genevieve/, home/james/, etc.

单击david:并在所有前缀home/david/处使用定界符/列出……您可能会明白.

click on david: List all at prefix home/david/ with delimiter / ... you perhaps get the idea.

请注意这三次单击与博客文章中允许的操作如何对应-列出根目录，列出home，列出home下用户的特定目录.

Note how these three clicks correspond with the allowed actions in the blog post -- list the root, list home, list the user's specific directory under home.

缺少列出其他用户主目录的权限，您可以看到它们存在，但无法在其中钻入dowm.

Lacking permisson to list other users' home directories, you can see that they exist, but you can't drill dowm into them.

重申...策略控制的是您可以要求的内容，而不是您可以看到的内容.为了导航到您自己的主目录，您必须能够列出主目录，否则就无法导航到您的主目录.这就是使用控制台无法完成此操作的根本原因-您无法编写任何政策来阻止用户看到他们所在的/分隔层次结构的单个级别中的其他条目允许看到，因为权限是应用于请求的，而不是响应的.

Reiterating... policies control what you can ask for, not what you can see. In order to navigate to your own home directory, you have to be able to list the home directories, or you can't navigate to yours. That's the fundamental reason why this can't be done with the console -- there is no policy you can write that prevents users from seeing other entries within a single level of the /-delimited hierarchy that they are allowed to see, because the permission is applied to the request, not the response.

这篇关于阻止用户甚至不了解AWS S3上的其他用户(文件夹)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！